none
SignatureVerificationFailedException processing unsigned SAML AuthnRequest RRS feed

  • Question

  • I am attempting to integrate a web application that I'm responsible for with ADFS using SAML. I have previously successfully integrated this application with several other SAML IdPs, include Azure AD. I've set up Windows Server 2016 and ADFS in my dev environment and created a Relying Party Trust for my application. When I do an SP-initiated sign-in and the user gets redirected to ADFS (with the AuthnRequest in the redirect request URL), ADFS rejects the request, with this showing up in the ADFS log:

    Encountered error during federation passive request. 
    
    Additional Data 
    
    Protocol Name: 
    Saml 
    
    Relying Party: 
    com.onshape.saml2.sp 
    
    Exception details: 
    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'com.onshape.saml2.sp'.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    

    The AuthnRequest is unsigned and I previously did:

    Set-AdfsRelyingPartyTrust -SignedSamlRequestsRequired $False 
    

    so I don't understand why ADFS is rejecting the request.

    FWIW, the (decoded) request looks like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <saml2p:AuthnRequest
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
        AssertionConsumerServiceURL="http://localhost.dev.onshape.com:8082/identity/saml2/sso"
        Destination="https://adfs.nmishkin.com/adfs/ls/"
        ForceAuthn="false"
        ID="a49ae29dec9631aa2ai1dad79heahef"
        IsPassive="false"
        IssueInstant="2019-07-10T19:26:36.860Z"
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Version="2.0">
      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">com.onshape.saml2.sp</saml2:Issuer>
    </saml2p:AuthnRequest>
    

    Any ideas what the problem is?

    Nat




    Thursday, July 11, 2019 4:23 PM

Answers

  • Well you import the certificate with the public key of the signing cert of the RP in the Relying Party properties. There is a section for signing certs.

    Yes, this is the solution that worked for me too.

    I don't remember the exact history that led me to this conclusion but I think the diagnostic procedure was confused by the fact that (in addition to my originally incorrectly thinking I didn't need to supply a signing cert in the RP properties) the cert I initially supplied was expired. Once I used a valid cert everything worked.

    Saturday, January 11, 2020 2:30 PM
  • Well you import the certificate with the public key of the signing cert of the RP in the Relying Party properties. There is a section for signing certs.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, January 10, 2020 2:11 PM
    Owner

All replies

  • I had the same problem just this week as well. We could do IDP initiated sign-on but not SP initiated (got the same error as you even after running the same PowerShell) The problem turned out to be that when the app was doing SP initiated sign-on, it was still adding a signature at the HTTP request level to the SAML request. After not much help from the vendor we tried adding the HTTPS cert of the application as the signing cert of the RP in ADFS and it finally worked. Hope this at least helps give you another place to investigateScreenshot of SAML signature at HTTP request level
    Wednesday, July 17, 2019 5:07 PM
  • Hi, did you find a solution to this one. We are receiving the same error and stumbled across this page.
    Friday, January 10, 2020 1:46 PM
  • Well you import the certificate with the public key of the signing cert of the RP in the Relying Party properties. There is a section for signing certs.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, January 10, 2020 2:11 PM
    Owner
  • Well you import the certificate with the public key of the signing cert of the RP in the Relying Party properties. There is a section for signing certs.

    Yes, this is the solution that worked for me too.

    I don't remember the exact history that led me to this conclusion but I think the diagnostic procedure was confused by the fact that (in addition to my originally incorrectly thinking I didn't need to supply a signing cert in the RP properties) the cert I initially supplied was expired. Once I used a valid cert everything worked.

    Saturday, January 11, 2020 2:30 PM